Monday, January 7, 2013

Logical Access Control

Logical access control is a very commonly used type of security measure. Aspects of logical access control include
  • Prevention of unauthorised access to the system
  • Detection unauthorised access to the system
  • Management of access to the system.
Access itself is not binary. There are a number of powers that can be given to the user namely
  • Read
  • Write
  • Delete
Access should be based purely on need and managing access should include at a minimum the following;
  • Segregration of duties should not be compromised.
  • Unique user identification
  • Require users to sign statements indicating understanding of their access rights
  • Granted of access dependent on suitable level of Authorisation including the system owner - extra scrutiny around requests > standard profiles.
  • Regular review of rights with redundant user IDs and accounts removed
However, given that higher levels of security come at a cost, the level of access security should be determined on the basis of a risk assessment.

A number of access security devices can be employed, but a basic log-on procedure should have the following features.
  • Warning notice
  • No help to users
  • Validation only on completion of all input data
  • Limited number of attempts
  • Record unsuccessful attempts
  • Enforce time delay between failed attempts
 Further ideas related to passwords are provided here.

Enhanced features may include encryption.

Managing a large number of users' access rights is a costly process which explains the use of standard user profiles.